Cambridge MC Optimises the Cyber Hygiene of a Major Academic Institution

Author

Introduction

The National Counterintelligence & Security Center (NCSC) suggests that universities are particularly vulnerable to cyber crime because they are key contributors to the economy, skills development, and innovation.

Cambridge MC was approached to conduct a comprehensive cyber capability maturity assessment for a major UK academic institution, leveraging a team of experts with technical understanding and frontline experience in cyber defence. This team carried out a thorough evaluation through a series of tests, interviews, and artefact examinations. Unlike conventional assessments, our strategy focused on actionable insights which were tailored to the unique operational context of the institution. 

The assessment was structured around recognised capability categories, informed by the team’s extensive experience defending against cyber attacks. The methodology was particularly effective for its sensitivity to the institution’s risk appetite—balancing cost, risk, and investment to propose solutions that were unique to their situation.

Project Overview

• The primary challenge was the institution’s realisation that its existing cyber hygiene practices and IT discipline might not be sufficiently robust to withstand increasingly advanced tactics employed by cybercriminals and their growing interest in the education sector.

• The institution sought out Cambridge MC to identify these vulnerabilities, assess the overall maturity of its cybersecurity practices, and recommend strategic improvements. This meant not only highlighting technical deficiencies, but also providing a holistic evaluation of the institution’s security posture, considering the practical realities of defending against threats. This included an assessment of the institution’s risk readiness, infrastructure resilience and staff preparedness.

• Cambridge MC’s goal was to ensure that the recommendations produced as a result of this assessment were not only technically sound but contextually appropriate and aligned with the institution’s strategic objectives and resources constraints. This personalised approach was crucial in designing a cyber security strategy that was both achievable and sustainable.

Strategy

What we did

Our approach involved a thorough assessment of the institution’s cyber infrastructure, including tests, interviews, and the examination of artefacts to gain a holistic understanding of their cyber maturity. To do this, we engaged experts with significant technical depth and extensive experience in cyber defence and leadership roles; a blend which was crucial in conducting a maturity assessment that focused on pragmatic gap closures.

Why we did it this way

Our methodology was designed to move beyond mere technical details and address the practical aspects of cyber security. By organising our work into recognised capability categories, we targeted areas that, if weak, would likely lead to vulnerability and a high risk of attack. This approach allowed us to pinpoint critical gaps in the institution’s cyber security practices and propose target improvements.

Concepts and methodologies applied

We applied a risk-based approach, sensitive to the institution’s risk appetite, to make practical trade-offs between cost, risk, and investment. This ensured that our recommendations were contextually appropriate and aligned with the institution’s strategic objectives. Our assessment framework was grounded in industry-best practices and standards, tailored to the unique needs and challenges of the academic sector.

Obstacles encountered and overcoming them

One of the main obstacles we encountered was resistance to change, a common challenge for institutions with established routines and cultures. To overcome this, we emphasised the importance of cyber hygiene and IT discipline through clear, evidence-based findings and recommendations. We conducted workshops and discussions to engage stakeholders at all levels, highlighting the tangible benefits of enhancing their cyber security posture and demonstrating how our recommendations could be implemented in a manageable manner.

The Team

The Cambridge MC cyber security team tasked with supporting on this project was comprised of:

• A technically adept practitioner specialising in vulnerability testing, equipped with cutting-edge knowledge of tools and techniques for identifying weaknesses in the institution’s cyber defences. This role was crucial for uncovering hidden vulnerabilities that could be exploited by attackers, providing a technical foundation for the assessment.

• Back-office risk experts with a deep understanding of the broader risk landscape and risk management principles, ensuring that the assessment considered not just technical vulnerabilities but also organisational and procedural risks, aligning the cyber security strategy with the institution’s overall risk appetite.

• A security leader with 30 years of experience building and running security services, who offered strategic oversight and practical insight into effective cyber defence mechanisms and was vital in ensuring the recommendations were not only theoretically sound but also pragmatically achievable.

Together, these professionals ensured a comprehensive, nuanced, and highly practical assessment, underlining the importance of a balanced team in addressing complex cyber security challenges.

Outcome & Results

1. Optimised Cyber Resilience
   We recommended and outlined a robust workflow and identity management system across all of the institution’s systems, emphasising the need for multi-stakeholder cooperation. This highlighted the challenge of managing over tens of thousands of accounts for a community of many fewer staff and students.
   
   
2. Longevity
   We made clear, actionable recommendations describing implementation plans for changes, such as improving the security culture and some operational deliverables associated with SOC efficacy, all of which were agreed upon by the leadership team who assured us that these changes would be in place at this institution for the next three years.
   
   
3. Staff Readiness
   We enhanced the security awareness and training of the staff, postgraduate researchers, and students, including specialised training for the Information Security team. We also made recommendations for improving security posture, such as the adoption of Cloud Access Security Broker (CASB) and Data Leakage Prevention (DLP) solutions, and the development of a quantitative risk forecasting methodology.
   
   
4. Forward Planning
   We also made suggestions for future improvements, including SOC operational activities, creating new initiatives targeting cyber kill chain strategy areas, and planning disaster recovery tests for ICT systems. 

Cyber Security Homepage

Our Cyber Security services are run by John Madelin, a well-known industry expert who advises large multinationals and governments on their digital security. To find out more go to the Cyber Security service homepage.

About Cambridge Management Consulting

Cambridge Management Consulting (Cambridge MC) is an international consulting firm that helps companies of all sizes have a better impact on the world. Founded in Cambridge, UK, initially to help the start-up community, Cambridge MC has grown to over 150 consultants working on projects in 20 countries.

Our capabilities focus on supporting the private and public sector with their people, process and digital technology challenges.

For more information visit www.cambridgemc.com or get in touch below.